Overview

A critical privilege escalation vulnerability has been identified in theAdvanced Custom Fields: Extended WordPress plugin. The flaw allows unauthenticated remote attackers to assign themselves administrator privileges by abusing improperly validated user creation or update forms. Successful exploitation results in complete compromise of the affected WordPress site.

Vulnerability Details

  • Vulnerability Type: Privilege Escalation
  • CVE ID: CVE-2025-14533
  • CVSS Score: 9.8 (Critical)
  • Attack Vector: Remote, unauthenticated
  • Affected Component:  insert_user() form action
  • Root Cause: Missing server-side enforcement of role restrictions

The Advanced Custom Fields: Extended plugin fails to validate user role values submitted via frontend forms using the Create User or Update User actions. If a role field is mapped to the form, attackers can supply an arbitrary role value regardless of UI or field-level restrictions.

Affected Devices

  • Platform: WordPress
  • Plugin: Advanced Custom Fields: Extended
  • Plugin Slug: acf-extended
  • Affected Versions: ≤ 0.9.2.1
  • Unaffected Versions: ≥ 0.9.2.2

Exploitation is only possible on sites that have configured frontend forms using Create User or Update User actions with a mapped role field.

 

Recommended Remediations

ctrl:cyber strongly recommends the following actions:

  • Update Advanced Custom Fields: Extended to version 0.9.2.2 or later
  • Audit all frontend user creation and update forms
  • Remove role fields from public or low-privilege forms
  • Review administrator accounts for unauthorized additions
  • Restrict frontend user management features to authenticated users only